Back to news

IEEE Approves First International Standard for Designing Secure Space Systems

Share:
IEEE Approves First International Standard for Designing Secure Space Systems

The IEEE Standards Association's Standards Board approved P3536, the Standard for Space System Cybersecurity Design, on March 26, 2026, giving satellite manufacturers and operators the first international technical standard for building cybersecurity into space systems at the design stage rather than adding it after launch. The approval caps a four-year drafting effort and lands at a moment when constellation growth, the 2025 Israel-Iran conflict, and the US Golden Dome missile defense program have pushed space cybersecurity further up the priority list for both industry and government.

A design process, not a post-launch checklist

P3536 defines cybersecurity controls across four technical modules: the ground system, the space vehicle, the link segment connecting them, and an integration layer covering the APIs, data links, and test environments that tie a mission together, according to the working group's own project page. A fifth subcommittee addresses the user segment: handsets, tablets, base stations, and the navigation and remote-sensing applications that sit on top of a satellite service. Gregory Falco, the Cornell University aerospace engineering professor who chairs the working group behind the standard, frames its purpose as ruling out entire categories of attack through how a system is engineered, rather than layering monitoring and patches onto a design that was never built with security in mind, as he explained to Orbital Today.

Why the timing matters

Falco ties the push partly to the sheer scale of what is now in orbit: more than 12,000 active satellites are transmitting data to low-cost ground terminals over laser crosslinks, up from a fraction of that a decade ago as constellations like Starlink and Amazon's Leo have gone operational, according to a Via Satellite analysis. That piece also points back to the 2022 Viasat KA-SAT denial-of-service attack, which knocked out internet service across parts of Europe just as Russia invaded Ukraine, as the incident the industry keeps returning to when explaining why space cybersecurity can no longer be treated as a secondary concern. Falco separately links the standard's urgency to the 2025 Israel-Iran war, which drove a surge in cyberattacks against satellite systems, and to the Golden Dome missile defense initiative, both of which have put commercial constellations like Starlink more squarely in the crosshairs, he told Orbital Today.

How it differs from the standards bodies already in place

Space agencies already had standards bodies before P3536. The Consultative Committee for Space Data Systems, an international group of space agencies, moves recommendations through draft "White Books" toward recommended "Magenta" and "Blue Books," and the European Cooperation for Space Standardization published its own set of technical standards in July 2024, according to ENISA. Neither, according to the working group's own scoping paper, provides technical cybersecurity specifications for the modular, commercial-off-the-shelf systems that increasingly dominate the market, from CubeSats to mass-produced smallsat buses built for on-orbit servicing and assembly. Falco has also framed P3536 against the older, controls-oriented security paradigm represented by catalogs like NIST's security and privacy controls, arguing in a 2024 statement that government policy is finally pivoting toward the same secure-by-design principles the standard was built around.

A voluntary standard stepping into a regulatory vacuum

Until now, the closest thing the US had to space-specific cybersecurity guidance was Space Policy Directive-5, issued in September 2020, which set out best practices for authentication, encrypting command links, and intrusion detection but stopped short of firm requirements, according to a NATO-affiliated analysis of the space supply chain. National efforts have multiplied rather than converged since then: India's CERT-In issued a space cybersecurity framework in February 2026 requiring security-by-design practices and incident reporting within six hours, covering everyone from ISRO to Starlink's Indian license, according to a MediaNama analysis. The EU's draft Space Act, meanwhile, would attach security-by-design conditions to market access for any operator serving European customers, an analysis of the draft found. None of these regimes specifies a common technical design methodology, which is the gap P3536 is built to fill.

A standard written by the people who'll have to use it

The effort traces back to the ASCEND 2022 conference, where more than 40 co-authors published a call to action arguing that space cybersecurity lacked the industry-wide standards other critical infrastructure sectors had long since adopted, according to the working group's project page. That call grew into the IEEE Space System Cybersecurity Working Group, known as S2CY, which now draws more than 200 experts from over 20 countries under Falco's chairmanship and IEEE program manager Tom Thompson, per the IEEE Standards Association. Rather than working from first principles, the group has drawn on the Aerospace Corporation's SPARTA matrix, a publicly available database of real and lab-tested space-cyber tactics and techniques, feeding lessons from simulated attack scenarios back into the standard as operators use and refine it, a Via Satellite analysis noted.

What P3536 doesn't fix

An IEEE standard carries no enforcement mechanism of its own. Whether P3536 becomes an actual design requirement depends on whether contracts, insurers, export-control regimes, or national regulators start pointing to it, none of which has happened yet. It also can't reach backward: many satellites already in orbit run on hardware and software that predates modern encryption, and retrofitting cryptography onto systems that can't be physically accessed is often technically or economically impossible, a Mayer Brown analysis of space cybersecurity regulation observed. That same analysis warned that smaller companies and startups now central to commercial space innovation may lack the resources to keep pace with evolving standards, while established manufacturers struggle to push updates across older, already-deployed fleets. The broader regulatory picture P3536 sits inside remains fragmented rather than unified: a SpaceNews analysis catalogued operators juggling the EU's NIS2 directive, Australia's Security of Critical Infrastructure Act, Singapore's Cybersecurity Act, and further national regimes still in development, with no sign that the fragmentation is set to ease.

News first reported by Orbital Today, drawing on IEEE Standards Association project documentation.